bb107
commented
1 week ago Hello, the example you provided only shows a method to set a system call callback (or a Hook), and does not show how to let the debugger load symbols for the DLL.
However, I have experimented with x64dbg and VisualStudio and summarized the methods that can make them load symbols.
For x64dbg, you can use the "Add Virtual Module" function it provides. First, correctly copy the pdb symbol file of the module that needs to be loaded into the symbol directory of x64dbg (pay attention to the directory structure). Then find the first address of the module loaded in memory on the "Memory Graph" page, right-click and select "Add Virtual Module", and enter the correct dll file name (matching the pdb file name). After completing these, you can see the virtual module and symbol information just added on the "Symbol" page. Note that if the memory module is modified, the pdb file must be copied to the symbol directory of x64dbg synchronously.
For VisualStudio, it needs to be done through the driver. I just passed the test on Windows 10 LTSC/VisualStudio2019. This method can achieve source code level debugging, but there will be some problems during debugging (breakpoints do not work/single stepping over rep or call instructions cannot stop before the next instruction).
CycloneRing
Hi @bb107 It would be great if you can add the feature of support for loading pdb debug symbols for loaded memory modules. It doesn't require driver to do such, Here's a how you can implement it : https://github.com/ionescu007/HookingNirvana/blob/master/instrument/main.c
Basically few more hooks.